Your data is safe. Your tenants' data is safe.

UnitFull never touches card numbers, CVCs, or expiry dates. All card capture goes through Stripe Elements hosted fields — your browser communicates directly with Stripe, and our servers receive only a tokenized reference. Card data never enters our database, our logs, or our infrastructure.

• Stripe API keys stored in encrypted environment variables, never client-side.
• No card data in application logs — Sentry scrubbers enforced at the SDK level.
• API key rotation per Stripe's quarterly recommendation.

All traffic between operators, tenants, and UnitFull uses TLS 1.2+. Data at rest is encrypted by the managed Postgres provider at the storage level. Sensitive fields (SSNs if collected, military status flags) are additionally encrypted at the application layer before write.

Daily automated backups with a 35-day retention window. Backups are region-redundant — a single data center failure does not affect your data. Point-in-time recovery is available for the full retention window. Recovery time objective and recovery point objective are documented in our status page.

We are currently pursuing SOC 2 Type II certification. The audit observation period begins Q3 2026; report expected Q1 2027. Until the report is available, we'll share our current security controls documentation with prospective enterprise customers under NDA — contact us.

UnitFull's primary customer base is US-based, but we apply GDPR-aligned practices as the default: data minimization, purpose limitation, and a clear retention policy. Tenant data is processed only to operate the facility management contract; it is not sold, shared with ad networks, or used for any purpose outside the contracted service.

Operators with EU tenants can request a Data Processing Agreement (DPA) — contact support.

Your data is yours. Every entity (facility, unit, tenant, lease, transaction) has a CSV export endpoint accessible to account owners. Full export on demand — no fee, no support ticket, no waiting.

• No data export charges. Ever.
• On contract termination: 90-day grace period to export, then secure deletion.
• "Your data is yours" clause is in our standard MSA — not fine print, the opening section.

Found a vulnerability? Email security@unitfull.ai. We respond within 24 hours, patch critical issues within 72 hours, and credit researchers in our changelog. We do not pursue legal action against good-faith security researchers.